There are many privacy concerns impacting humanity across the globe—one of which is advertising technology (ad tech). Every Android or iOS mobile device is equipped with advertising identification (ID) or an identifier that is used to send specific advertisements to targeted individuals. However, this capability can also be used from an adversarial targeting perspective. An adversary can obtain a consumer’s specific location, precise travel history, length of time at a specific location and information on their associations with other individuals through device correlations and cause harm to the consumer. Having a clear understanding of how mobile devices operate and how to limit data leakage decreases the chance of being a target.
The Invisible Tracker
The advertising ID is a unique sequence of alphanumeric characters that is assigned to each mobile device by the operating system. This information is used by marketers, advertisers and application (app) publishers to anonymously identify users, understand user behavior and target users with specific ads. Data collected from each Advedevice is extremely detailed and can reveal behavioral patterns of users.
Data collected from each device is extremely detailed and can reveal behavioral patterns of users.
Google Advertiser Identification (GAID) and Apple’s Identifier for Advertisers (IDFA) are 2 major ways for advertisers to serve ads to users. This technology, in its various forms, allows brands, carriers and ad tech enterprises to collect valuable insights about users. This information can reveal details of a user’s spending habits or their social media interactions, and the data gathered can be bought and sold many times over.
Threat Model
Offline, location-based tracking is also common. More targeted ads, in theory, should be a win-win for both the consumer and the advertiser—the consumer receives a good deal on a good or service and the advertisers make money. However, this information can also be used in ways that do not benefit the users, such as organizations that buy the information to create profiles of specific users without the original user’s consent. Anyone that can pay for this information can purchase this data either directly, indirectly or as part of other data sets. Figure 1 illustrates a sample threat model explaining how ad tech information can be used to target a user.
Figure 1—Sample Threat Model for Malicious Tracking
Figure 1 shows the end-to-end process of a nefarious entity who uses ad tech data to target an individual. Pattern of life (POL) is an individual’s unique behavior and movement within a specific period of time. Area of interest (AOI) is a particular geographic location of interest to the person or organization targeting a region. By following this process, the nefarious entity can identify where the said individual works, where they live, where they travel, where they spend their money and with whom they associate. This information can go as far back as the initial purchase date of the device.
Mitigation Techniques
Unfortunately, there is not a one-and-done solution to this problem. However, there are steps that users of iOS and Android devices can take to limit tracking. Users should ensure that these controls are in place after each update or monthly, at minimum. This regiment should be part of users’ basic cybersecurity and privacy hygiene.
iOS
The IDFA is hidden by default. Starting with iOS version 14.5, Apple does not offer a way to see the IDFA. To mitigate this data leak via IDFA, users can navigate to Settings > Privacy > Apple Advertising and turn off Personalized Ads.
Apple’s iOS version 14.5 update or newer encourages app developers to ask for consent to track before accessing a user’s data or sending them ads. This is a positive step toward better privacy, but it does not completely solve tracking issues.
iOS users can also use an app called Lockdown Privacy that "…blocks trackers and ads—in all your apps."1 It is an open source project and the source code is available for public review.
For this research, the Lockdown Privacy app’s firewall feature was used during a 4-week period to prove that the app works as intended, blocking most (but not all) trackers. Figures 2, 3 and 4 show the effectiveness of the Lockdown Privacy app.
For the specific test date of 3 May 2021, 510 trackers were blocked.
Select block lists are provided by default. Custom domain names can be added as desired. For instance, by adding google.com to the custom block list, the user is no longer able to visit google.com.
The app blocked many different trackers and domains.
Android OS
The GAID can be changed manually. A device’s GAID can be found by navigating to Settings > Ads. The AdID can be changed by navigating to Reset Advertising ID and clicking OK when the confirmation screen appears. It is also recommended to opt out of personalized ads.
Oxford Research Associate Perspective
Oxford University's Center for Technology and Global Affairs, (Oxford, England) noted that "Resettable IDs [which are ad tech IDs on mobile devices] are not a comprehensive solution. They aim to give the user some control, but often they only offer the perception of control. For the system to work, apps and ad networks need to honor the agreements about only collecting ad IDs and not re-sharing them.2
Conclusion
There is no way to completely eliminate tracking through ad tech with iOS and stock Android OS. However, there are ways to limit the capability of trackers by using ad blockers. When working with privacy-related matters, practitioners must think about all the ways privacy can be cheated. The cyberdomain is ever evolving and continuous technological advances come with challenges. Because of this, it is crucial to fully understand the devices used and integrate security, privacy and reliability into POL early on. By practitioners taking the necessary steps secure themselves, they can bring the same mindset to their clients when solving their privacy challenges.
Endnotes
1Lockdown Privacy
2Newman, L. H.; "A Simple Way to Make it Harder for Mobile Ads to Track You," Wired, 21 September 2019
Babur Kohy
Is an accomplished cybersecurity professional in the areas of cyber defense, cloud security, managed attribution networks, threat awareness and organizational resilience. He lectures extensively on deep and dark web techniques for the identification and exploitation of dark net gateways to enhance personal security and anonymity. He hopes to pioneer identity resolution techniques within managed attribution networks through his academic research. He is the academics director for the ISACA® Greater Washington DC (USA) Chapter. He is the founder of CyTalks.com, a platform for cybersecurity training and discussions.
Michael M. Dowd
Is a technical operations officer and has worked in the intelligence and defense industry, including at the US Department of Defense (DoD), for more than 18 years. He has served as a US Army Special Operations Operator, a collection officer at the US Central Intelligence Agency (CIA) and a subject-matter expert for the US DoD Special Operations Command. He has managed and conducted counterterrorism, covert action and technical collection operations worldwide and has made significant contributions to the national security of the United States.